Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2023, 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5b64e80944a8bc466b913ba5c246eb24ed63f533c8beb15ccd697191fe165b1.exe

  • Size

    551KB

  • MD5

    1a0a9f0c29a3f2b902cc7964d1490d21

  • SHA1

    eccbf588d28ed6365b807f8bcc84098cc3bab829

  • SHA256

    a5b64e80944a8bc466b913ba5c246eb24ed63f533c8beb15ccd697191fe165b1

  • SHA512

    7bd062037c005f9342f5354b1dafe1b0c0351801e9115f7b5ee7bc54c92904844c8b2c5276494609000fe923eb626c32758c55696051b14c2df3578e067206ee

  • SSDEEP

    12288:JMrgy90dRvVAYbZ3gdnoceEwzLu8duuQ2M4fS:xyeV7b2oUk68YOM46

Score
10/10
redlinefomichstekdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

stek

C2

melevv.eu:4162

Attributes
  • auth_value

    4205381daf6946b2df5fe3bc7eacc918

Extracted

Family

redline

Botnet

fomich

C2

melevv.eu:4162

Attributes
  • auth_value

    b018e52ac946001794d8b8c23e901859

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5b64e80944a8bc466b913ba5c246eb24ed63f533c8beb15ccd697191fe165b1.exe
    "C:\Users\Admin\AppData\Local\Temp\a5b64e80944a8bc466b913ba5c246eb24ed63f533c8beb15ccd697191fe165b1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpg1990FS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpg1990FS.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59qx15JL73.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59qx15JL73.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4412
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tsz85jO42.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tsz85jO42.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1604
          4⤵
          • Program crash
          PID:4480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uOg08oV28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uOg08oV28.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4972
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 212 -ip 212
    1⤵
      PID:4800
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3328

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uOg08oV28.exe
      Filesize

      175KB

      MD5

      cf4601f34173a0c6b95faccb8184c4b8

      SHA1

      e68a609609d41c943f17dad9cb18924fe8c101e5

      SHA256

      2ca9b6aa0a964ed6cd1bb083819b38ea582ac4599023be287a98ca7765eda244

      SHA512

      d73e51e27f3a866724d81c9b431cce37c2dd3f9f5e0b3a24dc37a1090b388fb1429ace9134c2d3915b0f7b20c047663963b062840d1a52a5b692f4405d046d4d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uOg08oV28.exe
      Filesize

      175KB

      MD5

      cf4601f34173a0c6b95faccb8184c4b8

      SHA1

      e68a609609d41c943f17dad9cb18924fe8c101e5

      SHA256

      2ca9b6aa0a964ed6cd1bb083819b38ea582ac4599023be287a98ca7765eda244

      SHA512

      d73e51e27f3a866724d81c9b431cce37c2dd3f9f5e0b3a24dc37a1090b388fb1429ace9134c2d3915b0f7b20c047663963b062840d1a52a5b692f4405d046d4d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpg1990FS.exe
      Filesize

      406KB

      MD5

      57ec930586eddf06701669925b5b481d

      SHA1

      24d48a479f80fd2c143608d69c897e905f98c931

      SHA256

      04dc08517d2eebcb06a5fdbc851246f96e8a0b71e5607aa5568cf03438eb98df

      SHA512

      2c8bb9a15feddbd7355488380d6cacba285685dbc0ad6703220805e80e0840c86d47ed780eefa82072e0caab150c1c74bb05d7da6cb1f85a5420880da1c642ff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpg1990FS.exe
      Filesize

      406KB

      MD5

      57ec930586eddf06701669925b5b481d

      SHA1

      24d48a479f80fd2c143608d69c897e905f98c931

      SHA256

      04dc08517d2eebcb06a5fdbc851246f96e8a0b71e5607aa5568cf03438eb98df

      SHA512

      2c8bb9a15feddbd7355488380d6cacba285685dbc0ad6703220805e80e0840c86d47ed780eefa82072e0caab150c1c74bb05d7da6cb1f85a5420880da1c642ff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59qx15JL73.exe
      Filesize

      17KB

      MD5

      cf4148568aad3433eb5b0ab6379dbaae

      SHA1

      c547df6b086cffb1f6867e26b0f0a43855da556e

      SHA256

      3f48e4dd616486dacf9b82ca033a3fca3bcc87a026fa9cf7f370f4cd96fd24d7

      SHA512

      9494fcf5eb6b92dfb7a0be8b8e1ac190509197c1ce6810b6062bc60b28cf4cf5924345cecd5c93cdd09dffd5531a254bf4f2352056fb4d4fb5d6acd43ff7d7ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw59qx15JL73.exe
      Filesize

      17KB

      MD5

      cf4148568aad3433eb5b0ab6379dbaae

      SHA1

      c547df6b086cffb1f6867e26b0f0a43855da556e

      SHA256

      3f48e4dd616486dacf9b82ca033a3fca3bcc87a026fa9cf7f370f4cd96fd24d7

      SHA512

      9494fcf5eb6b92dfb7a0be8b8e1ac190509197c1ce6810b6062bc60b28cf4cf5924345cecd5c93cdd09dffd5531a254bf4f2352056fb4d4fb5d6acd43ff7d7ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tsz85jO42.exe
      Filesize

      387KB

      MD5

      066b5456cc754c4c01232eb5f6528b57

      SHA1

      a530c7bbf3cda6f6edf3d5b210a43630d3828f40

      SHA256

      b428258fc52be23096aa6c4e68251e60514dedcd2ee8a4cdca2f60d3f55a1630

      SHA512

      09ac6e0aa74919ee2321b79f267cf14baf3a8cb2bf3e589ae3b764af1e7ce495bea67c9ebcfcbb92ac4b4c3d8557052a1c979066138f0c4439a8c4d5e38878d5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tsz85jO42.exe
      Filesize

      387KB

      MD5

      066b5456cc754c4c01232eb5f6528b57

      SHA1

      a530c7bbf3cda6f6edf3d5b210a43630d3828f40

      SHA256

      b428258fc52be23096aa6c4e68251e60514dedcd2ee8a4cdca2f60d3f55a1630

      SHA512

      09ac6e0aa74919ee2321b79f267cf14baf3a8cb2bf3e589ae3b764af1e7ce495bea67c9ebcfcbb92ac4b4c3d8557052a1c979066138f0c4439a8c4d5e38878d5

      Download Submit

    • memory/212-153-0x0000000002BD0000-0x0000000002C1B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/212-154-0x00000000073C0000-0x0000000007964000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/212-155-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-156-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-158-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-159-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-162-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-161-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-165-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-163-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-167-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-169-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-171-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-173-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-175-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-177-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-179-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-181-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-183-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-185-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-187-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-189-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-191-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-193-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-195-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-197-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-199-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-201-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-203-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-205-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-207-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-209-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-211-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-213-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-215-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-217-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-219-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-221-0x0000000007320000-0x000000000735E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/212-1064-0x0000000007970000-0x0000000007F88000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/212-1065-0x0000000007FB0000-0x00000000080BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/212-1066-0x00000000080F0000-0x0000000008102000-memory.dmp

      Filesize

      72KB

      Download

    • memory/212-1067-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-1068-0x0000000008110000-0x000000000814C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/212-1070-0x0000000008410000-0x00000000084A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/212-1071-0x00000000084B0000-0x0000000008516000-memory.dmp

      Filesize

      408KB

      Download

    • memory/212-1072-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-1073-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-1074-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-1075-0x0000000008CC0000-0x0000000008E82000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/212-1076-0x0000000008EA0000-0x00000000093CC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/212-1077-0x00000000073B0000-0x00000000073C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/212-1078-0x0000000009650000-0x00000000096C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/212-1079-0x00000000096D0000-0x0000000009720000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4412-147-0x00000000000C0000-0x00000000000CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4972-1085-0x0000000000A20000-0x0000000000A52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4972-1086-0x00000000057C0000-0x00000000057D0000-memory.dmp

      Filesize

      64KB

      Download